Part 4- How to prepare spreadsheet risk inventory
By Adrian Miric*
|
|
|
In the previous column
we discussed establishing a spreadsheet review group. We concluded by
saying that the group is critical to mitigating the risks within the
organisation and providing the required skills to business to be able to
comprehensively review the spreadsheet that are important to them.
In this, the fourth installment of the column, we examine the
method of preparing a spreadsheet risk inventory once you have
completed your high level analysis and the spreadsheet review
group is established. |
The aim of spreadsheet risk management is
to improve the quality of the spreadsheets used and thereby reduce the
risks. In the high-level analysis outlined in part two we established
that businesses should have established where higher risk
spreadsheets reside. In this stage of preparing an inventory of
spreadsheet risks, users will become more specific about where these potentially
risky spreadsheets are to be found. It is important to remember that
attempting to document every spreadsheet in an organisation may be
impractical.
If it makes the auditors happy and is feasible then it can
be tackled but it is important to remember that above all else the task
must be approached in a practical way. Departments containing
spreadsheets clearly defined as important to the organisation should be
documented.
|
A recent PricewaterhouseCoopers report
maintains that the following should be considered when evaluating the
risks associated with these spreadsheets:
-
Complexity of the spreadsheet and
calculations;
-
Purpose and use of the spreadsheet;
-
Number of spreadsheet users;
-
Type of potential input, logic and interface
errors;
-
Size of the spreadsheet;
-
Degree of understanding and documentation of
the spreadsheet requirements by the developer;
-
Uses of the spreadsheet’s output;
-
Frequency and extent of changes and
modifications to the spreadsheet; and
-
Development and testing of the spreadsheet
before it is used.
|
|
|
The spreadsheet review group should begin with
these points.
Other departments may contain many spreadsheets
and see the creation of many new ones. In this case it is more important
to reach the spreadsheet developers than it is to control the individual
spreadsheets. This is due to the overriding majority of spreadsheet
errors being human-generated, a fact supported by research. By helping
people to build better spreadsheets and by providing them with the right
tools to find a greater percentage of errors faster, the organisation
faces far less risk.
In the final article we will address what can
be done to reduce the risks of both the identifiable spreadsheets and
the key spreadsheet developers.
Other
departments may contain many spreadsheets and see the creation of many
new ones. In this case it is more important to reach the spreadsheet
developers than it is to control the individual spreadsheets. This is
due to the overriding majority of spreadsheet errors being
human-generated, a fact supported by research. By helping people to
build better spreadsheets and by providing them with the right tools to
find a greater percentage of errors faster, the organisation faces far
less risk.
Go to part 5
[
Z
Go back to Part 3
* Adrian Miric is MD of Miricle Solutions. He is a chartered accountant
with IT and financing experience. He spent five years auditing and
designing spreadsheets with KPMG. In the next column he discusses
controlling identifiable spreadsheets.
|
